Recently, the House of Common’s Standing Committee on Finance released its report titled, “Confronting Money Laundering and Terrorist Financing: Moving Canada Forward” (the “Report”). The Report was released pursuant to the Standing Committee’s mandate under Standing Order 108(2), which directed the Committee to study the Proceeds of Crime (Money Laundering) and Terrorist Financing Act1 (“PCMLTFA”) and was […]

Privacy compliance is top of mind, not the least of all because of GDRP and Canada’s new mandatory breach notification rules. While you are updating your practices and procedures, do not forget that the Guidelines for obtaining meaningful consent (the “Guidelines”) will apply starting on January 1, 2019.

Experience has shown us time and again that, of all the elements contributing to effective investigations, investigators consistently dedicate insufficient time and effort in a few critical areas; four to be exact.

If you ask a group of cybersecurity experts what should be included in a Cybersecurity Incident Response Plan (“CIRP”), you will get a wide variety of answers. Happily, many of those answers contain similar themes including these ten important considerations your organization should be aware of when creating and managing a CIRP.

RPA and AI technologies can be a game-changer for your organization from a commercial perspective, but procuring those technologies and managing the new risk landscape requires a fundamental shift in mindset vis-à-vis a traditional outsourcing contract.

From a recent survey by Protiviti, the information on how many organizations had to issue a cyber-security disclosure is interesting. Apparently, this generally resulted in an increase on SOX compliance hours – although the reason for a significant increase is not clear.

British Airways’ experience described in this article underscores that cybersecurity is important, and Canadian entities preparing for mandatory security breach reporting and notification coming into force soon can take lessons from British Airways’ response to a security breach.

It can be relatively difficult to read the tea leaves in the CRTC’s approach to CASL enforcement, because there is little public record of those enforcement activities. This was noted by the Standing Committee on Industry, Science and Technology, in its statutory review of the Act. However, what signs do exist suggest that enforcement activities are accelerating. In 2016 and 2017, the CRTC announced only one undertaking in a CASL proceeding. By contrast, in the first quarter of 2018, there have already been two.

A key takeaway for organizations is that it is not enough to comply with other provisions in PIPEDA, for example, obtaining meaningful consent. Organizations must still show that their purposes for collecting, using or disclosing personal information are those that a reasonable person would consider appropriate in the circumstances.

IS ROI on cyber really as high as it may seem at first glance? At some point, it may be better to consider cyber risk as a “cost of doing business”. If you can’t actually reduce the likelihood of a breach, can you at least increase the likelihood of prompt detection and response?

The OSC recently approved a settlement agreement in which the respondent admitted to providing material non-public information to a third party. The order in Re Hutchinson, which did not include an administrative penalty or disgorgement of profits, was held to be in the public interest given the respondent’s cooperation and other mitigating factors.